[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP RFC and OCSP version 2 ID

To: Peter Williams <peterw@xxxxxxxxxxxx>, "'Denis Pinkas '" <Denis.Pinkas@xxxxxxxx>, Santosh Chokhani <chokhani@xxxxxxxxxxxx>
Subject: RE: OCSP RFC and OCSP version 2 ID
From: Santosh Chokhani <chokhani@xxxxxxxxxxxx>
Date: Wed, 16 Jan 2002 14:50:25 -0500
Cc: "'ietf-pkix@xxxxxxx '" <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Title: RE: OCSP RFC and OCSP version 2 ID

Why aren't the authors responding to this contradiction in the RFC and carried out in the ID?

-----Original Message-----
From: Peter Williams [mailto:peterw@xxxxxxxxxxxx]
Sent: Wednesday, January 16, 2002 2:41 PM
To: 'Denis Pinkas '; 'Santosh Chokhani '
Cc: 'ietf-pkix@xxxxxxx '
Subject: RE: OCSP RFC and OCSP version 2 ID

Denis,

You refer to an assumed "main mechanism" in your note. Speaking factually,
to hopefully guide you, sensibly:-

The main [reference] mechanism(s) at, and shortly after,
the time of writing OCSP IDs included:-

(1) VeriSign, who used an oracle database-based repository to feed data
to OCSP deamons acting in cached and interactive, direct-trust
mode; CRLs were not involved. OCSP proxing/multiplexing interactive
direct-trust mode was added, shortly after standarization, for a
defense customer bridging multiple certification domains.

(2) ValiCert, who used direct CRLs to feed data to direct/indirect OCSP
deamons. Indirect CRLs and CRLDPs support was added slightly after
the architects had harmonized their work.

Both mechanisms evolved further, outside of IETF and
in vendor forums, particularly in the area of: application
integration, CRLDPs and delta-CRL data sources, proxying
transaction semantics and response resigning, data freshness
signalling, and OCSP client interaction with X.509 and
PKIX-style path processing and X.509 applications such as
SSLv3/https and MTA-based automatic xmldsig signature
verification on B2B and banking protocol XML streams.

Historically, this work essentially re-designed the standardized
features of the "distributed authentication model" of
X.500 1988, for OCSP-borne queries.

Currently, VeriSign's current work in W3C also
reflects alot of the understanding on the required
semantics of realtime trust models.

Peter.

-----Original Message-----
From: Denis Pinkas
To: Santosh Chokhani
Cc: ietf-pkix@xxxxxxx
Sent: 1/16/02 12:04 AM
Subject: Re: OCSP RFC and OCSP version 2 ID

At the time the document was written, the main mechanism to feed the
information to the OCSP server was to use CRLs. So it seems sensible to
think that these fields are copied from a CRL.

Prev by Date: RE: OCSP RFC and OCSP version 2 ID
Next by Date: Re: Cautionary Period Straw Poll
Previous by thread: Re: OCSP RFC and OCSP version 2 ID
Next by thread: RE: OCSP RFC and OCSP version 2 ID
Index(es):
- Date
- Thread